Part 2 Flashcards
What is “direct evidence”?
Oral testimony that proves a specific fact.
What is “documentary evidence”?
Commercial documents, prints, manuals, etc.
What are 3 rules for evidence”
1) Better evidence: the court prefers original documents.
2) The exclusionary rule: The data collected in violation of the 4th amendment (unreasonable search and seizure) is not eligible.
3) Whether or not there is ‘hearsay”. Which is second-hand evidence and is an option not admissible. Not even computer-generated hearsay.
What is “image capturing?”
Imaging a system can be a very effective way of preserving evidence.
What is a “forensic copy”?
It is a bitwise copy that includes integrity checks in the form of a hash.
Hashing tools and algorithms create message digests that show that a copy is equivalent to the original and has not been altered.
What is “time offset”?
This is when there is a time difference between two different computers, they are not synchronized in “real time”.
What is “preservation of evidence”?
This is the process of making sure that evidence is purchased, identified, protected from tampering, transported, and stored properly. Digital copies can be edited and completed without a record of change.
Need to have safeguards against manipulation, whether intentional or not. Also collecting hashes helps as they validate copies of evidence.
What is the “recovery of evidence”?
This is determining relevant information and then retrieving it.
What is “strategic information gathering”?
This is the use of all resources to make decisions. This is limited to the management level.
What is “counterintelligence collection”?
This is the collection of information specifically directed to the strategic intelligence effort of another entity.
What are “Standard Operating Procedures (SOPs)”?
Both are needed for SOPs:
1) These are step-by-step directions on how to implement policies within an organization.
2) Standards are mandatory elements for the implementation of a policy.
What are “Trade Association Agreements (BPAs)”?
They are the legal agreements between partners. This is a legal agreement that outlines the terms, conditions, and expectations between partners.
What are “service level agreements (SLA)”?
These are negotiated agreements between two parties that outline service expectations. Technical metrics between the customer and service provider are usually described in this agreement.
What is an “interconnection security agreement (ISA)”?
It is a specialized agreement between organizations that have interconnected IT systems. ISAs document the security requirements that arise from such connections.
What are “Memorandums of Understanding (MOU)”?
These are legal documents that describe a bilateral agreement between the parties. The parties have some kind of shared goal.
What are “non-disclosure agreements (NDAs)”?
These are confidentiality agreements between a company and its staff, which describes the limits of secret corporate material and the disclosure of such information to unauthorized parties.
What are “Acceptable Use Policies (AUPs)”?
These are documents that describe what your organization considers appropriate use of its resources. This includes computer systems, email, the internet, and networks. The goal is to enable normal business productivity while limiting inappropriate use.
What are “workplace policies”?
These are policies that help the organization run better by providing rules that help people work together and allow adherence to standard operating procedures.
What is “onboarding”?
This is the process of hiring an employee and getting them going with workplace policies.
What is “offboarding”?
This is the process of removing an employee from the organization.
What are “data owners roles” responsible for?
These roles are responsible for data ownership and this is a business function where requirements for security, privacy, retention, and other business functions are set.
What are “system administrator data roles” responsible for?
These are administrative users responsible for keeping a system within defined requirements. They do not create the requirements, just enforcing them.
What are “users”?
These are ordinary users who have limited access and privileges, depending on their role and work activities.
What are “privileged users”?
These users have more access than ordinary users.
What is an “executive user”?
The is a special subcategory of a user. Often times these are people that do not need a high level of access but get it because of status; so they are natural targets of phishing attacks.
What is “risk management”? What is the importance of it?
The process of identifying, evaluating, and controlling threats to an organization’s capital and earnings. It enables organizations to try to prepare for the unexpected by minimizing additional risks and costs before they occur.
This allows companies to maximize their return on investment so that they can make more money.
What is “PII”?
This is a “customer’s” personal identifiable information.
What are 5 important benefits of risk management?
1) Create a safe workplace for all staff and customers.
2) save on unnecessary premiums.
3) reducing legal liability.
4) Protecting all persons and property involved from possible harm.
5) Provides protection against damaging events for both the company and the environment.
What are 5 possible impacts when a company has sucky risk management policies?
1) Death or injury to 3rd parties.
2) Property damage, including to commerical property, thrid-party property, or environmental property.
3) Security, or lack there of.
4) Finance. Everything costs money.
5) Reputation. Security risks can damage the ability of a company to make money.
What is “availability?”
The time required for a system to perform its intended functions.
What is “reliability”?
This is simply the measure of the lack of frequency of system failures.
What is “RTO”?
Recovery Time Objective.
The target time to resume operations after an accident.
What is “RPO”?
Recovery Point Objective.
The time period that represents the maximum acceptable data loss period.
The data loss is the differentiator. It is related to backup frequency.
What is “MTTR”?
Mean Time To Repair.
The measure of time it takes to repair a fault. This is the total downtime divided by the total failures.
What is “MTBF”?
Mean Time Before Failure.
This is a measure of the time between failures.
What are “mission-essential functions”?
These are essential functions that MUST occur for business operations.
What is “critical systems identification”?
This is identifying the data and systems that support mission essential functions.
What is “PIA”?
Private Impact Assessment.
This is the gap between desired and actual privacy performance.
What is “threat assessment”?
This is a structured analysis of the threats that a company faces. We can’t change the threats, only the way it affects us.
What are the 4 types of system threats?
1) Environmental: weather, lightning, storms, solar flares, etc.
2) Man-made: Hostile attacks or accidents by staff.
3) Insiders: Disgruntled or well-meaning employees who make a mistake that inadvertently harms the organization.
4) External: A threat outside the organization, attacking it.
What is “SLE”?
Single Loss Expectation.
This is the value of a loss expected from a single event.
What is “ARO”?
The is the annual occurrence rate, which is how many times a year we think something will happen.
What are 5 possible risk responses?
1) Avoid them by minimizing exposure.
2) Transfer of risk to another person through insurance or other methods.
3) Mitigate them by applying controls to reduce impact.
4) Just fix it, without testing.
What are “security deterrents”?
These are controls that hinder the attacker by reducing the likelihood of success from their point of view.
What are “security compensation controls”?
These controls are used to meet a requirement when one doesn’t have an option to directly address a threat.
What are “security preventative checks”?
These prevent specific actions, such as firewalls or mantraps, from being performed.
What are “security technical controls”?
These involve the use of some form of technology to address security problems, such as biometrics.
What are “security investigative checks”?
These are checks to help detect intrusions or attacks.
What are “security physical controls”?
These are capable of preventing specific physical actions from occurring.
What are “security corrective controls”?
These are used after the event and help minimize the extent of the damage.
What are “security administrative controls”?
These are procedures or policies used to limit security risks.
What is BIA?
Business Impact Analysis.
This is the process of determining the source and related values of risk elements in a process. It also describes how the loss of any critical function will affect an organization.
What is ALE?
This is the SLE multiplied by the ARO.
What is “OT”
Operational technology.
What is “Dd”?
Data domain.
What is “SAE, SOC”?
Standards of Attestations Engagement, System and Organizations Control
What is “DMARC”?
Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing.
What is a “captive portal”?
Web page that the user of a public-access network is obliged to view and interact with before access is granted
What is a “LAMP server”?
A LAMP stack is used for backend or server-side development. A backend application is software that runs in an environment that’s hidden from end users.
What is “OAuth”? What version is currently in use?
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
What is “PAM”?
Privileged Access Management (PAM) is an information security (infosec) mechanism that safeguards identities with special access or capabilities beyond regular users. Like all other infosec solutions, PAM works through a combination of people, processes and technology.
What is “vulnerability scan input”?
Vulnerability scanning involves using either a software or hardware-based scanner to locate soft spots in your code that can be exploited by known attack vectors. Soft spots are typically a result of unsanitized code that permits illegal inputs.
What is “GDPR”?
The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union.
What can “vulnerability scanning detect”?
A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. A scan may be performed by an organization’s IT department or a security service provide, possibly as a condition imposed by some authority.
What is the difference between a data owner and a data custodian?
The data owner is responsible for determining how the data may be used, while the custodian is responsible for implementing the protection to the data.
What is “mobile device management”?
Mobile device management (MDM) is software that allows IT administrators to control, secure and enforce policies on smartphones, tablets and other endpoints.
What is “TPM”?
TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop).
What is “CI”?
Continuous integration (CI) is the practice of automating the integration of code changes from multiple contributors into a single software project. It’s a primary DevOps best practice, allowing developers to frequently merge code changes into a central repository where builds and tests then run. Automated tools are used to assert the new code’s correctness before integration.
What is “CI”?
Continuous integration (CI) is the practice of automating the integration of code changes from multiple contributors into a single software project. It’s a primary DevOps best practice, allowing developers to frequently merge code changes into a central repository where builds and tests then run. Automated tools are used to assert the new code’s correctness before integration.
What is the difference between RAID 1, RAID 6, RAID 10?
How fast read and write capabilities are. RAID 1 is fastest, but also most expensive.
What is “SOAR”?
SOAR (Security Orchestration, Automation, and Response) refers to a collection of software solutions and tools that allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.
What is “DNS cache poisoning”?
Attackers can poison a DNS cache by tricking DNS resolvers into caching false information, with the result that the resolver sends the wrong IP address to clients, and users attempting to navigate to a website will be directed to the wrong place.
What is the NetBios port for Name, and what kind of transmission?
139 TCP
What is the NetBios port for Datagram, and what kind of transmission?
138 UDP
What is the NetBios port for Name, and what kind of transmission?
139 TCP
What is a “segmentation fault”?
It is an error that will typically stop a program from running, also called a denial of service. A denial of service is NOT just with websites.
This type of error is unlikely to cause a data breach or allow privilege escalation, and permission creep occurs as individuals get more permissions.
What is “log aggregation”?
It is used to pull together logs from multiple sources and performing collection and initial analysis on log collectors can help centralize and handle large log volumes.
What is a “fusion center” and what is the purpose?
The fusion centers represent a shared commitment between the federal government and the state and local governments who own and operate them.
What is “domain hijacking”? Aka domain theft.
This occurs when the registration or other info for the domain is changed w/o the original registrant’s permission.
What is “wardriving”?
This involves hackers gaining unauthorized access to wireless networks.
Wireless networks can most often be scanned from any smartphone. It is just a matter of finding networkings to try and brute force if needed.
What is “war flying”?
War flying is the act of using an airplane and a wireless network detector to find wifi wireless network locations.
What is “elicitation”?
This is the process of eliciting information through conversation to gather useful information.
What is a “pharming attack”?
In a pharming attack, users aren’t tricked into navigating to a malicious website. Instead, the attacker steals data using malware background processes or automatically sends a user to a phishing website in their browser. Pharming is much more effective than phishing because it doesn’t require the user to click a link.
What is “APT” and how is it performed?
An Advanced Persistant Threat is a significant threat are those of state actors or nation-state actors who often have greater resources and skills at hacking, thus making them a more significant threat.
What is “prepending”?
Adding an expression or phrase to an email, subject line or headers to protect or fool users. It can also be used for adding data as part of an attack, or into a conversation to get targets thinking about what attacker wants them to think about.
What is “pretexting”?
It is a social engineering technique where attackers use a reason that is intended to ne believable to the target for what they are doing.
What is “SQL injection”?
This is an attempt to add SQL code to a web query to gain access to data.
What is “PUP”?
A potentially unwanted program. Spyware and adware are common examples.
What is a “worm”?
These are self-spreading malware that exploit vunerabilities to spread via a network.
What is a “trojan”?
This is a piece of software pretending to legitimate software or paired with legitimate softwareto gain entry to a system or device.
What is a “RAT”?
This is a remote access trojan, malware that gives the attacker remote access to the virtual machine.
What is a “XSRF” or “CRSF”?
Cross-site request forgery, it sends forged requests to a website, supposedly from a trusted user
What is “XSS”?
This is the injection of scriptsinto a website to exploit the users.
What is a “buffer overflpw”?
This tries to put more data in a variable than a variable can hold.
What is “pharming”?
This attempts to redirect traffic intended for a legitimate site to another maliscious site. Attackers usually do this by changing the local hosts file or by exploiting a trusted DNS server.
What is “spinning an account”?
This is changing the password for an account, often because of a compromise or to prevent a user from logging back into it while preserving the accoubnt.
What is “password spraying”?
This is a brute force attack which uses a smaller list of common passwords across many accounts to attempt to login. I.e. is a attack on everyone in the marketing department.
What is a “EULA”?
End user licensing agreement. It is the contract that users sign when they use software.
What is a “sniper”?
This is an enumeration test to enumerate and scan for vulnerabilities. Often used by bug bounty researchers and corporate security teams to find issues, patch defects, and manage environments.
What is “spear phishing”?
Targeting a specific group of people.
What is “a logic bomb”?
Malware performs its malicious activity when some condition is met.
What is “XSS”?
Entering a script into text areas that other users will view.
What is “clickjacking”?
“It is about tricking users into clicking the wrong thing.
What is “log segregation”?
This pulls together logs from multiple sources, and performing and initial analysis on log collectors that can help centralize and handle large log volumes.
What are “white teams?
These are judges and observers during cybersecurity exercises.
What are “APIs”?
APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols.
What is a “server-side request forgery”?
This is typically an attempt to get HTTP data passed through a website and will not include SQL injection. Ways to prevent SSRF include blocking sensitive hostnames, IP
addresses, URLs, and the use of whitelist-based input filters.
What is an “unknown environment” box test?
This is called a black-box or zero-knowledge test because it does not provide information beyond the basic information needed to identify the target.
What is a “known-environment” box test?
This is a white-test box that involves very complete information being given to the tester.
What is a “pivot”?
A pivot occurs when you exploit one machine and use that as a basis to attack other systems. This can be done from internal and external sites.
What is “shimming”?
This is when the attacker places some malware between an application and some other file and intercepts the communication to that file (usually to a library or system API).
What is “refactoring”?
This is the process of changing names of variables, functions, and so forth in a program.
What is an “SYN flood”?
This is when many SYN packets are sent without a full three-way handshake.
What is a “rainbow table”?
It is a table to passwords on one side and hashes on another.
What is a “pass-the-hash” utilized? When does it happen?
Atype of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network.
These are usually based in Windows environments.
Where does a SQL injection attack occur?
At the server level.
What is a “CVE” list?
This is a Common Vulnerabilities and Exposures (CVE) list that has entries that describe and provide references to publically known cybersecurity vulnerabilities. A CVE feed will provide updated information about new vulnerabilities and a useful index number to cross reference with other services.
What is a “birthday attack”?
This exploits the birthday problem in probability theory and relies on finding collisions between random attempts and the number of potential permutations of a solution.
These attacks are one method of attacking cryptographic hash functions. They are not a social engineering attack, a network denial-of-service attack, or a TCP/IP protocol attack.
What is a “dictionary attack”?
This is a list of words that are believed to be likely passwords.
What is “session hijacking”?
This is when an attacker takes over an authenticated session.
What is a “downgrade attack”?
This attack seems to make a Transport Layer Security (TLS) connection use a weaker cipher version, thus allowing the attacker to more easily break the encryption and read the protected data.
What is a “disassociation attack”?
This is when the attacker attempts to force the victim into disassociating from a resource, like a network connection creating a MITM potential scenario.
What does phishing target usually?
This attack usually targets personal information and sensitive issues like credit card numbers and passwords.
What is a “false flag”?
Then is when there is an attempt to transfer blame to another organization. This happens a lot in the military.
What is “MAC flooding”?
This is an attempt to overflow a switch’s MAC table, causing the switch to send all traffic to all ports rather than to the port that a given MAC address is associated with. This is an attack that happens with older switches.
What is a “race condition”?
A race condition is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence to be done correctly.
What is “spyware”?
It is malware that records user activities.
What is a “Postgres server”?
This is a server with a database admin account only and does not have a password. It is very easy to crack.
What is “vertical movement”?
This is when the attacker gains access to systems or accounts with a higher security or trust level.
What is a “buffer overflow attack”?
This is when boundaries are not checked in a variable and the attacker tries to put in more data than the variable can hold.
What is “consensus”?
This is aka social proof, a social engineering attack that leverages the fact that people are often willing to trust groups of other people.
When do memory leaks happen?
When memory is allocated but not de-allocated.
What are “fileless viruses”?
These are viruses that take advantage of PowerShell to perform actions once they have used a vulnerability in a browser or browser plug-in to inject themselves into system memory.
What is “ARP poisoning”?
aka Address Resolution Protocol (ARP) spoofing, this is when an attacker sends malicious packets to the default gateway of a local area network, causing it to change the mappings it maintains between the hardware (MAC) addresses and IP addresses.
What is “memory overflow”?
Nothing, it is not a term used.
What are “memory leaks”?
This causes memory exhaustion or other issues over time as memory is not properly reclaimed. Leaks do not actually leak and they do not allow SQL injection.
How are software updates of servers usually applied?
As firmware updates.
What is “bluejacking”?
This sends unsolicited messages to Bluetooth devices.
What is “war dialing”?
This is dialing numbers hoping a computer modem answers.
What are “dictionary attacks”?
These are lists of common passwords as well as common substitutions to attempt to break into a system or service.
What are “back-off algorithms”?
These lock out attackers after a small number of incorrect password attempts, which can slow or stop dictionary attacks and other brute-force password attacks.
What are “water-holing” attacks?
These are attacks against target groups by focusing on commonly shared behaviors like visiting specific websites.
There are no such things as watercooler, phishing net, and phish pond attacks.
Steps to harden a LDAP server?
Focuses on user input validation and filtering of output to ensure that an excessive amount of data is not being returned in queries. As with all services, LDAP should be one of the first to be secured.
What is “certificate expiration tracking”?
This is used to ensure that website certificates are current, but it does not prevent URL redirection attacks.
Modern browsers display the full URL to prevent this.
What are “directory traversal attacks”?
These attempt to exploit tools that can read directories and files by moving through the directory structure.
Adding common directory names and common filenames can allow attackers and penetration testers to read other files in accessible directories if they are not properly secured.
What is the “US Trusted Foundry program”?
This is intended to prevent supply chain attacks by ensuring end-to-end supply security for important circuits and electronics.
What are some sites of visualizations and aids for data gathered of real-time or near real-time events, collected by vendors and other organizations.
threatmap.com
fortiguard.com
threatmap.checkpoint.com
What are “purple teams”?
These are a combination of red and blue teams intending to leverage the techniques of both sides to improve organizational security.
What are “directory traversal attacks”?
These are attempts to exploit tools that can read directories and files by moving through the file structure.
I.e. reading.the config.txt file three layers above the working directory. Adding common directory or file names can allow attackers (or penetration testers) to read other files of directories not properly secured.
What is “soar” and what does it do?
Security orchestration, automation, and response. Designated to integrate with a broader range of both internal and external applications.
What Windows and Linux areas or files contain passwords?
Windows Security Account Manager (SAM) file and /etc/shadow file for Linux.
These are both common places for brute farce attacks.
What is “SSL stripping”?
This requires attackers to pursuade victims to send traffic through them via HTTP while continuing to send HTTPS encrypted traffic to the legitimate server by pretending to be the victim.
It is not a brute force attack, a Trohan attack wpuld require malware, and a downgrade attack would try to move the encrypted session to a less secure encryption protocol.
What is the “US Trusted Foundry” and what does it do?
It is intended to prevent supply chain attacks by ensuring end-to-end supply chain security to important circuits and electronics.
Where are threatmaps found?
And what is the point?
threatmap.fortiguard.com or threatmap.checkpoint.com
These are visualizations of real-time or near real-time data gathered by vendors and other organizations that can help visualize major threats and aid in analysis of them.
What is “bluesnarfing”?
It involves accessing data from a Bluetooth device when it is range.
What is “bluejacking”?
This involves sending unsolicited messages to Bluetooth devices when they are in-range.
What are the rules of engagement for a penetration test?
1) Type and scope of testing
2) client contact info
3) requirements for when the team should br notified
4) sensitive data handling requirements
5) details of regular meetings and reorts.
What does the linux command “cron” do?
It starts a reverse shell and is often on port 8989.
What is “proprietary or closed threat intelligence”?
This threat this is not openly available, OSINT, or open source threat intelligence.
What is “maneuver,,” in relation to cyber-security?
The context of tgreat hunting, as how to think like a malicious user to help you identify potential indicators of compromise in your environment.
What is a “SYN flood attrack”?
It is a resource exhaustion attack that uses up all available sessions it is aimed at.
What is “pretexting”?
This is a type of social engineering that involves using a false motive and lying to obtain data.
